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Amendments to the Claims : 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 



service attacks on the a data center, the monitoring device comprising: 

a plurality of probe devices that are disposed to collect statistical information on packets 
that are sent between the network and the data center; 

a cluster head coupled to each of the plurality of probe devices, the cluster head receiving 
collected statistical information from the probe devices and determining from the collected 
information whether the data center is under a denial of service attack. 

(Original) 2. The device of claim 1 wherein the cluster head is coupled to the plurality 
of probe devices through a dedicated, private network. 



(Currently Amended) 3. The device of claim 2 wherein the cluster head further 
comprises: 

a communication process that communicates sends statistics collected m by the probe 
devices witb to a control center, and that receives queries or instructions from the control center. 

(Original) 4. The device of claim 3 wherein the monitoring device is a gateway device 
and further comprises: 

a process to install filters to thwart denial of service attacks by removing network traffic 
that is deemed part of an attack. 



(Currently Amended) 1 . 



A monitoring device disposed for thwarting denial of 



(y 



\ 



(Original) 5. The device of claim 1 wherein the probes are physically deployed in line 
in the network. 
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(Currently Amended) 6. The device of claim 1 wherein the probes execute a joining 
process that allows a the probes to join a cluster. 

(Currently Amended) 7. The device of claim 1 wherein the cluster head comprises a 
process to aggregate traffic statistics collected from the various p robes and to produce logs and 
apply detection heuristics to the statistics collected from the probes . 

(Original) 8. A method of thwarting denial of service attacks on a victim data center 
coupled to a network comprises: 

monitoring network traffic through probes that are disposed between the victim data 
center and the network; and 

communicating data from the probes, over a dedicated network, to a cluster head device. 

(Original) 9. The method of claim 8 further comprising: 

communicating data from the cluster head device to a control center over a hardened 
network. 

(Original) 10. The method of claim 8 further comprising: 
analyzing network traffic statistics to identify malicious network traffic; and 
filtering network traffic, which is identified as malicious network traffic, during 
analyzing of the network traffic. 

(Currently Amended) 1 1 . The method of claim 8 further comprising wherein 
providing the cluster head device and the probe devices compris e as a clustered gateway. 

(Currently Amended) 12. The method of claim 1 1 wherein when a new cluster probe is 
add e d seeks to join to the clustered gateway, the method further comprises: 

dynamically discovering the new cluster probe that seeks to join the cluster clustered 
gateway . 
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(Original) 13. The method of claim 8 further comprising: 

performing intelligent traffic analysis and filtering to identify the malicious traffic and to 
eliminate the malicious traffic. 

(Original) 14. The method of claim 13 wherein performing intelligent traffic analysis is 
controlled by the cluster head and filtering is performed by the probes. 

(Currently Amended) 15. A gateway for thwarting denial of service attacks on a 
victim data center comprises: 
a cluster head; and 

a plurality of probes disposed between a network and a victim, the probes collecting 
statistical data, for performance of intelligent traffic analysis and filtering by the probed probes , 
to identify malicious traffic for thwarting denial of service attacks. 

(Original) 16. The gateway of claim 15 wherein the gateway includes a process to insert 
fi lters to discard packets that are deemed to be part of an attack. 

(Currently Amended) 1 7. A monitoring device disposed for thwarting denial of 
service attacks on the a data center, the monitoring device comprising: 

a device that collects statistical information on packets that are sent between the network 
and the data center over a plurality of links and that produces statistical information from 
network traffic over the plurality of links to determine from the statistical information whether 
the data center is under a denial of service attack. 

(Original) 18. The monitoring device of claim 17 wherein the monitoring device is 
coupled to a control center through a hardened network. 

(Original) 19. The monitoring device of claim 17 wherein the device further comprises: 
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a communication process that communicates statistics with a control center, and that 
receives queries or instructions from the control center. 

(Original) 20. The monitoring device of claim 17 wherein the monitoring device is a 
gateway device and further comprises: 

a process to install filters to thwart denial of service attacks by removing network traffic 
that is deemed part of an attack. 

(Currently Amended) 21 . The monitoring device of claim 20 wherein the gateway 
comprises: 

a process to aggregate traffic statistics collected from the various links and to produce 
logs and detection heuristics concerning the statistics collected from the probes . 

(Original) 22. A method of thwarting denial of service attacks on a victim data center 
coupled to a network comprises: 

monitoring network traffic over a plurality of links between the victim data center and the 
network; and 

communicating data, over a hardened network, to a control center. 

(Original) 23. The method of claim 22 wherein monitoring is performed by probe 
devices that sample network traffic at a constant rate. 

(Currently Amended) 24. The method of claim 23 wh e r e in the sampled n e twork 
traffic by the prob e s is deliver e d to a clust e r e d h e ad for traffic analysis further comprising: 

delivering the sampled network traffic by the probes to a clustered head for traffic 
analysis . 

(Original) 25. The method of claim 23- 24 wherein the probes send the sampled network 
traffic to the cluster head at a substantially constant rate irrespective of traffic on the monitored 
network. 



Applicant : Massimiliano 

Serial No. : 10/062,974 

Filed : January 31, 2002 

Page : 6 of 1 1 



io Poletto et al. 



Bey's Docket No.: 12221-011001 



|Please add new claims 26-3ZJ 
(New) 26. The device of claim 1 wherein the probes are coupled between the 
network and the data center to monitor traffic on links that couple the data center to the network. 



(New) 27. The device of claim 1 wherein the probes are scaleable and can 
dynamically join or leave the cluster. 



(New) 28. The device of claim 1 wherein the cluster head analyzes traffic on the 
links and treats the traffic on the monitored links as if the traffic originated on one virtual link. 

(New) 29. The device of claim 1 wherein at least one of the probes examines packets 
sent across the link that the at least one probe monitors and randomly chooses selected numbers 
of packets per second to pass to the cluster head. 

(New) 30. The method of claim 8 wherein monitoring comprises disposing the 
probes to monitor traffic on links that couple the data center to the network. 

(New) 31. The device of claim 15 wherein the probes are coupled between the 
network and the data center to monitor traffic on links that couple the data center to the network. 

(New) 32. The device of claim 18 wherein the probes are coupled between the 
network and the data center to monitor traffic on links that couple the data center to the network. 



